Agent3 Hub
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a broad remote MCP gateway that can invoke many third-party agents and APIs, so users should review its scope before giving it an API key.
Install only if you want a broad remote hub that can connect your agent to many external agents and APIs. Keep the API key scoped and private, verify each resource before invoking it, and require approval before using generic invoke or register tools.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user's agent could call unexpected remote resources or operations through the hub if it decides they are relevant.
The core tool surface is a generic gateway to invoke any registered resource, rather than a narrow set of known operations.
Agent3 Hub ... exposes every registered resource as a tool via a single MCP endpoint — connect once, invoke anything.
Only enable this skill when you need a broad registry gateway, and require explicit confirmation before invoking resources, agents, or registration actions.
Prompts, queries, or other user-provided inputs may be sent to third-party agents or services whose behavior and data policies are not visible in the skill artifact.
The skill supports direct agent-to-agent invocation through a remote hub, but the artifact does not define identity, origin, permission, or data-handling boundaries for those downstream agents.
`agents_invoke` | Invoke an A2A agent directly
Avoid sending sensitive information through this hub unless you have verified the specific resource or agent being invoked and its data handling.
Anyone or any agent process with access to the key may consume the user's Agent3 quota or act as that account within the hub's allowed capabilities.
The skill requires a service API key, which is expected for authenticated hub access but still grants account-level access to the Agent3 service.
requires:\n env:\n - AGENT3_API_KEY
Use a dedicated key if possible, store it securely, and revoke or rotate it if you stop using the skill.
The local MCP bridge behavior may change if the unpinned package changes upstream.
The setup uses npx with an unpinned mcp-remote package. This is a common MCP setup pattern, but it depends on the current package retrieved at setup time.
"command": "npx", "args": ["-y", "mcp-remote", "https://hub.agent3.me/api/mcp"]
Pin the mcp-remote package version where possible and install only from trusted package sources.